Squid not working in Transparent mode on pfsense configured in a bridge mode

chuksonpfsense

Sorry i had already posted this same question under FIREWALL but i thought it may be better to post it under PACKAGES.

I have recently deployed pfsense 2.0.2 in a transparent firewall/bridge mode. My network configuration is this:

Modem –----Mikrotik Router---------pfSense (transparent firewall/bridge mode) ----------------switch--------clients

Without squid proxy, clients can have access to the internet. After installing squid and configuring it in transparent mode so that i will not configure each client browser (we have more than 100 clients), the clients cannot access the internet. But if i configure squid in NON-TRANSPARENT mode i.e. uncheck the Transparent proxy box, the clients will have access to the Internet. If i revert back to transparent mode i.e. check the Transparent proxy box on the pfsense, and leaving the proxy setting of the browsers, then the clients can access the internet. But once i remove the proxy settings on the browser while squid is in transparent mode, the clients will not have access to the internet.

Http packets did NOT get to the WAN interface of the pfsense when I used pfsense Packet Capture to capture packets going through the WAN interface of the pfsense when squid is configured in transparent mode.

I have searched for any helpful information to make squid work in transparent mode on pfsense configured as a transparent firewall/bridge but have so far found NO useful information.

Please any help will be appreciated. I need to get squid working because thats one of the reasons i setup the pfsense box.

Thank you.

deltalord

@chuksonpfsense:

If i revert back to transparent mode i.e. check the Transparent proxy box on the pfsense, and leaving the proxy setting of the browsers, then the clients can access the internet. But once i remove the proxy settings on the browser while squid is in transparent mode, the clients will not have access to the internet.

Could you please phrase your problem differently, because the sequence of sentences don't give a clear picture of:

• where you started
• where you have been in the middle
• where you exactly left off

I only know that you want to configure squid in transparent mode. That's why I don't understand what you mean by the above marked sentence.

chuksonpfsense

Thank you deltalord

To make it simple:

When i configure squid in transparent proxy mode, the computers on the LAN CANNOT access the internet. If i disable squid, the computers CAN access the internet.

Sorry for the mix up, i was only trying to explain some things i have tried so far to do to solve the problem.

I hope you can now understand.

deltalord

Ok, just for clarification, you tried the following setups, am I right?

• No squid activated –> working WAN connection for the clients
• Activate squid w/o transparent mode (thus client auth mode) with squid credentials within the browser proxy settings ---> working WAN connection for the clients
• Activate squid in transparent mode (obviously without squids' credentials within browser proxy settings) ---> broken WAN connection for the clients
• Activate squid in transparent mode BUT still having the proxy settings within the brower config –-> working WAN connection for the clients

chuksonpfsense

@deltalord:

Ok, just for clarification, you tried the following setups, am I right?

• No squid activated –> working WAN connection for the clients
• Activate squid w/o transparent mode (thus client auth mode) with squid credentials within the browser proxy settings ---> working WAN connection for the clients
• Activate squid in transparent mode (obviously without squids' credentials within browser proxy settings) ---> broken WAN connection for the clients
• Activate squid in transparent mode BUT still having the proxy settings within the brower config –-> working WAN connection for the clients

YES, thats exactly the situation

jimp

It's been covered before, but it's been a while:

Squid + Transparent mode alone + Bridge does not, and cannot work. Not sure if that will change in the future.

If you have the settings in the user's browser, then it is not using transparent mode.

chuksonpfsense

@jimp:

It's been covered before, but it's been a while:

Squid + Transparent mode alone + Bridge does not, and cannot work. Not sure if that will change in the future.

If you have the settings in the user's browser, then it is not using transparent mode.

Are you saying that i cannot run squid in transparent mode on pfsense configured as a transparent firewall/bridge? Does it mean you can only run squid in transparent mode if you configure pfsense as the router?

Could please throw more light

Thank you.

jimp

Correct.

Squid + Transparent + Bridge == Broken
Squid + Transparent + Routing == OK

chuksonpfsense

@jimp:

Correct.

Squid + Transparent + Bridge == Broken
Squid + Transparent + Routing == OK

Please i'm actually a newbie in pfsense. I really like some features of pfsense that i would want to deploy. Would you please advise me on how to deploy it in my network together with Mikrotik Router. I want to keep the Mikrotik and still enjoy some benefits of pfsense. That was why i configured the pfsense in a bridge mode but i didn't know that if you configure pfsense in the bridge then squid CANNOT work in transparent  mode. Is there a way i can use the mikrotik router and pfsense without configuring the pfsense in a bridge mode so that i can run squid in transparent mode?

Thank you.

chuksonpfsense

@Jimp has confirmed that squid CANNOT work in transparent mode while pfSense is configured as a transparent firewall/filtering bridge.

Now how can i configure pfSense as a firewall behind a mikrotik router? I have attached the network diagram. I don't want to replace the mikrotik router completely hence the need to have the two on the network.

I saw this article: "http://fafadiatech.blogspot.com/2012/05/setting-up-pfsense-as-main-firewall-and.html" but the writer was not specific with his configurations.

Any help will be appreciated

phil.davis

In that article he shows a Cisco router where your Microtik router is in your diagram. But in the setup he has the public WAN IP on the pfSense firewall. I don't know what the Cisco in his diagram is doing - from what he sets up the Cisco is passing through ("bridging"?) the external public IP to the pfSense.
Why do you want to retain the Microtik? Is there other gear between the Mictrotik and pfSense that you want in front of the pfSense for some reason?
I would have just put the pfSense WAN to the modem and let pfSense WAN have the public IP address - it is a firewall+router first, as well as able to do Squid proxy etc.

chuksonpfsense

Thanks phil.

i know in the article a Cisco router was used but i sited it because it has close setup to mine. As for his configuration, i wouldn't know what he did.

I'm going ahead with the installation. I will get back to this forum as it progresses.

chuksonpfsense

Preliminary update:

I have successfully configured the pfsense behind the edge mikrotik router. However, in order not to cut users off the internet, i connected the pfsense WAN to the switch where the mikrotik is connected too. So i have:

internet–------mikrotik-------switch--------WAN pfsense LAN------switch------PC
                                            |
                                            Production LAN
Mikrotik: WAN - DHCP
            LAN - 192.168.20.2

pfsense: WAN - 192.168.20.1
            LAN -  192.168.21.1

PC:        LAN - 192.168.21.2

Prod LAN - 192.168.20.x

My production LAN traffic FOR NOW goes straight to the mikrotik and uses the default gateway of 192.168.20.2 while i'm using the PC (only computer connected through the pfsense)  to configure and test the connectivity. The PC has default gateway of 192.168.21.1.

The pfsense and Mikrotik are doing double NATing. I can access the internet from PC. The pfsense can resolve domain names and download packages. Everything seem to be going on well. When i disable NAT on the pfsense, the PC lost access to the internet, which is understandle know that the PC and LAN of the Mikrotik are in different subnets.

My next step is to install some packages especially squid and see how it works, play around with some configurations and i promise to keep you posted.

Lastly, i will remove the switch before the mikrotik router and wire the pfsense WAN straight to the ROUTER LAN and force every user to pass through the pfsense.

I'm excited and will post all the stages here, it might just help someone

deltalord

Glad you made an effort! Thanks for the update, keep us posted, always interested in unconventional setups and see them working.

chuksonpfsense

Further update:
Squid is working in transparent mode!!! Also, i got bandwidthd and lightsquid are working. I must mention that i tried WITHOUT success to get bandwidthd work on brdige mode. Meanwhile, lightsquid did not work in my previous configuration obviously because transparent squid was not working. So i was glad to get it working so mi can now say that:

pfsense in bridge mode + bandwidthd = BROKEN
pfsense in bridge mode + lightsquid = BROKEN

Next step:
Configure client-to-site VPN
Install and configure other packages including squidguard, snort, ntop, etc.
Connect the production LAN through the pfsense
Report back to the forum  ;D

Well that will be on monday,18/3/2013.